Figure 1: Console Time
Netware Toolkit Forward
In order to establish information for a forensics investigation from a NetWare server one must first understand the following: NLM files or NetWare loadable modules are what will return all forensics data to the investigator. There is currently no way to compromise the NLM files that exist on the server for root kit purposes, however if one believes that such a root kit may exist on the server, simply replace the NLM files found in the SYS: volume with the NLM files on the NetWare CD available for download at support.novell.com additionally due to the lack of NLM programming material available, automation of these tools will not be available.
Information to be collected:
Remote VS Console
Due to Novell’s heavy reliance on off server operations and remote administration we can rely on information and data gathered from the server console, console1 and the imanager software.
System Date and Time
The true system time is recorded in several different places on the NetWare server, the two most accessible versions however are the console based time command and the GUI X-Clock
To access the time from the console simply type: time and press enter
Figure 1: Console Time
The GUI clock is the same as in any other major operating system, and is located at the bottom left hand corner of the Taskbar as shown in figure 2
Figure 2: Netware Taskbar
Internet Protocol Configuration.
As with the previous property there are two distinct ways to view the ip configuration of the server, the first console and the second the GUI, the first command to use at the console is the same as any windows operating system: the command being IPCONFIG
Figure 3: Console IP Configuration
The second option is for using novell’s remote administration tool “console1”
By logging into console1 and then left clicking the server and clicking properties one can view the server configuration and property’s dialog box. Under the general tab IP configuration as well as any IPX configuration is located in this window
Figure 4: Console1 Network Addresses
Users Connected to the Server
In order to establish who is connected to the NetWare server at present the forensic examiner must login to a NetWare workstation and use the send message to user function of the novell client, this will list all connected users, at present there is no console function or console1 function to establish who is connected to the server.
To access the send message dialog left click on the N icon in the windows taskbar, expand the NetWare utilities and click the send message to users menu option as illustrated in figure 5
Figure 5
The Dialog window that opens will have a complete listing of all users connected to the server currently, the option to show in groups is also available.
Server Running Processes
To establish processes or programs running on the netware server, first the user should login to the GUI environment on the server, the open the “remote console program” which simply provides a GUI version of the console, additionally it provides a more organized view for the various console functions.
To cycle through the running processes click the screens menu option, this will illustrate the running programs, also if the examiner wishes to view the parameters in which the programs are running simply click on the option under the screens command.
Figure 6
Figure 7
Figure 8
Figures 7 & 8: Various programs running on server
MAC Times (Modify Access Create)
As the netware system was designed to minimize administrator time on the console there is no present command line version of a directory listing on the netware operating system. However we can use the windows DIR command to establish our directory listing and the MAC Times on the server, additionally as the netware server will share the entire volume and then restrict access to directories as necessary the examiner just has to login to a workstation with the “admin” user name and password (to ensure they have access to all volumes and directories on the server), map the server volumes to a network drive and then record the MAC times as with a general windows workstation
The following command would be entered into the windows command prompt
Recent Console Commands
To view recent commands that have been accessed on the server, the GUI Console LOG file will be used, to access the file click on the Utilities and “console log” item from the main menu (figure 9)
Figure 9
The accompanying window (figure 10) will illustrate all recent console commands and functions as a key logger for all items typed into the console both local console and remote consoles.
Figure 10
The option to save and append the log is also available through this program
Netware Log Files
By far the most critical part of a netware first response is the log files, with the engineering of the netware system, heavy emphasis was places on log files and log algorithms, the files are located on the server and the admin user is the only user that can access them. It would be advisable to copy the files from the server and save them to a different location from the workstation.
The files are located in the following directory:
SYS: JAVA/NWGFX
Figure 11 will illustrate a directory listing of the netware log file directory
Figure 11
